Ubuntu
apparmor package

Bug #872446
Comment #2

Comment 2 for bug 872446

Revision history for this message

Steve Beattie (sbeattie) wrote on 2012-03-26: Re: aa-logprof should detect denials as well as complaints

Jamie, can you describe how you hit this, as I'm unable to reproduce it. In the example below auditd is not running:

$ cat tmp/my.sh
#!/bin/sh

cat "$@" > /dev/null

$ cat /etc/apparmor.d/home.ubuntu.tmp.my.sh
# Last Modified: Mon Mar 26 10:59:48 2012
#include <tunables/global>

/home/ubuntu/tmp/my.sh {
#include <abstractions/base>

  /bin/cat rix,
  /bin/dash ix,
  /home/ubuntu/tmp/my.sh r,
}

$ sudo aa-status | grep my.sh
/home/ubuntu/tmp/my.sh
/home/ubuntu/tmp/my.sh//null-f

$ tmp/my.sh /etc/fstab
cat: /etc/fstab: Permission denied

$ sudo aa-logprof
Reading log entries from /var/log/syslog.
Updating AppArmor profiles in /etc/apparmor.d.
Enforce-mode changes:

Profile: /home/ubuntu/tmp/my.sh
Path: /etc/fstab
Mode: r
Severity: 3

1 - #include <abstractions/evince>
[2 - /etc/fstab]

(A)llow / [(D)eny] / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish / (O)pts
Adding /etc/fstab r to profile.

Profile: /home/ubuntu/tmp/my.sh
Path: /etc/resolv.conf
Mode: r
Severity: 2

1 - #include <abstractions/nameservice>
[2 - /etc/resolv.conf]

(A)llow / [(D)eny] / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish / (O)pts

Profile: /home/ubuntu/tmp/my.sh
Path: /etc/resolv.conf
Mode: r
Severity: 2

1 - #include <abstractions/nameservice>
[2 - /etc/resolv.conf]

(A)llow / [(D)eny] / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish / (O)pts
Adding /etc/resolv.conf r to profile.

= Changed Local Profiles =

The following local profiles were changed. Would you like to save them?

[1 - /home/ubuntu/tmp/my.sh]

(S)ave Changes / [(V)iew Changes] / Abo(r)t

= Changed Local Profiles =

The following local profiles were changed. Would you like to save them?

[1 - /home/ubuntu/tmp/my.sh]

(S)ave Changes / [(V)iew Changes] / Abo(r)t
Writing updated profile for /home/ubuntu/tmp/my.sh.

$ cat /etc/apparmor.d/home.ubuntu.tmp.my.sh
# Last Modified: Mon Mar 26 11:04:45 2012
#include <tunables/global>

/home/ubuntu/tmp/my.sh {
#include <abstractions/base>

  /bin/cat rix,
  /bin/dash ix,
  /etc/fstab r,
  /etc/resolv.conf r,
  /home/ubuntu/tmp/my.sh r,

}

(note that resolv.conf access rejection was from a prior run of my.sh)

Jamie, can you describe how you hit this, as I'm unable to reproduce it. In the example below auditd is not running:

$ cat tmp/my.sh
#!/bin/sh

cat "$@" > /dev/null

$ cat /etc/apparmor.d/home.ubuntu.tmp.my.sh
# Last Modified: Mon Mar 26 10:59:48 2012
#include <tunables/global>

/home/ubuntu/tmp/my.sh {
  #include <abstractions/base>

/bin/cat rix,
  /bin/dash ix,
  /home/ubuntu/tmp/my.sh r,
}

$ sudo aa-status | grep my.sh
   /home/ubuntu/tmp/my.sh
   /home/ubuntu/tmp/my.sh//null-f

$ tmp/my.sh /etc/fstab
cat: /etc/fstab: Permission denied

$ sudo aa-logprof
Reading log entries from /var/log/syslog.
Updating AppArmor profiles in /etc/apparmor.d.
Enforce-mode changes:

Profile:  /home/ubuntu/tmp/my.sh
Path:     /etc/fstab
Mode:     r
Severity: 3

1 - #include <abstractions/evince>
 [2 - /etc/fstab]

(A)llow / [(D)eny] / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish / (O)pts
Adding /etc/fstab r to profile.

Profile:  /home/ubuntu/tmp/my.sh
Path:     /etc/resolv.conf
Mode:     r
Severity: 2

1 - #include <abstractions/nameservice>
 [2 - /etc/resolv.conf]

(A)llow / [(D)eny] / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish / (O)pts

Profile:  /home/ubuntu/tmp/my.sh
Path:     /etc/resolv.conf
Mode:     r
Severity: 2

1 - #include <abstractions/nameservice>
 [2 - /etc/resolv.conf]

(A)llow / [(D)eny] / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish / (O)pts
Adding /etc/resolv.conf r to profile.

= Changed Local Profiles =

The following local profiles were changed.  Would you like to save them?

[1 - /home/ubuntu/tmp/my.sh]

(S)ave Changes / [(V)iew Changes] / Abo(r)t

= Changed Local Profiles =

The following local profiles were changed.  Would you like to save them?

[1 - /home/ubuntu/tmp/my.sh]

(S)ave Changes / [(V)iew Changes] / Abo(r)t
Writing updated profile for /home/ubuntu/tmp/my.sh.

$ cat /etc/apparmor.d/home.ubuntu.tmp.my.sh
# Last Modified: Mon Mar 26 11:04:45 2012
#include <tunables/global>

/home/ubuntu/tmp/my.sh {
  #include <abstractions/base>

/bin/cat rix,
  /bin/dash ix,
  /etc/fstab r,
  /etc/resolv.conf r,
  /home/ubuntu/tmp/my.sh r,

}

(note that resolv.conf access rejection was from a prior run of my.sh)

Ubuntuapparmor package

Comment 2 for bug 872446

Ubuntu
apparmor package